security: send lock_id via X-CacheKit-Lock-Id header, not query string (#24)

[27Bslash6]

Closes #24.

release_lock built the unlock URL as {key}/lock?lock_id={token}. Query strings leak into access/proxy logs and OpenTelemetry http.url spans (CWE-532) — even URL-encoded, the capability token is still in the URL and replayable within the lock TTL.

Change

• Extracted CachekitIO::release_request() (shared by release_lock and a server-free test).
• Dropped ?lock_id= from the URL; the token is sent in the X-CacheKit-Lock-Id header (new LOCK_ID_HEADER const).

Wire compatibility

SaaS dual-reads the header + legacy ?lock_id= (prefers header), shipped in saas#140 / deployed in 0.1.7. Wire-compatible with live api.cachekit.io. Ratified in protocol spec/saas-api.md.

Tests / checks

• New unit test builds the request via RequestBuilder::build() (no mock server) and asserts the token is in the header and never in the DELETE URL (no query, no lock_id, no token substring).
• cargo test + cargo clippy --all-targets -- -D warnings + cargo fmt --check all clean.
• Audited crates/cachekit/src/backend/workers.rs (per track: lock_id query-string → header (pending protocol decision) #24) — no lock_id query usage there.

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Enhanced security for lock token transmission in the cachekit.io backend. Lock capability tokens are now transmitted through secure HTTP request headers instead of being appended to URL query parameters. This improves the overall security and reliability of distributed lock operations whilst maintaining full backward compatibility with existing functionality and integrations.

[coderabbitai]

Walkthrough

The CachekitIO LockableBackend now sends lock capability tokens via the X-CacheKit-Lock-Id request header instead of appending them as ?lock_id=... query parameters. A new release_request helper builds the DELETE unlock request with the token in the header, release_lock uses this helper, and a unit test verifies the token remains out of the URL.

Changes

Lock token header transport

Layer / File(s)	Summary
Lock header transport implementation and validation crates/cachekit/src/backend/cachekitio_lock.rs	CachekitIO::release_request helper constructs DELETE unlock requests using X-CacheKit-Lock-Id header; release_lock delegates to this helper, replacing query-string construction; unit test asserts the URL contains no lock_id query parameter or token and that the header is correctly set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• lock_id leaks via URL query string (CWE-532) — move to request header cachekit-py#131 — Coordinated cross-SDK wire-format change moving lock_id from query string to X-CacheKit-Lock-Id header for CWE-532 mitigation.
• cachekit-io/saas#138 — Server-side counterpart that should read lock_id from X-CacheKit-Lock-Id header instead of query string.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: moving lock_id from query string to header for security.
Linked Issues check	✅ Passed	All primary objectives from #24 are met: lock_id moved to X-CacheKit-Lock-Id header, Workers backend audited, tests added asserting no lock_id in DELETE URL.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: cachekitio_lock.rs modifications, release_request helper, unit test, and Workers backend audit.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/24-lock-id-header

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/cachekit/src/backend/cachekitio_lock.rs`:
- Around line 148-152: Replace the hardcoded header name in the test with the
LOCK_ID_HEADER constant: locate the assertion fetching the header in
cachekitio_lock.rs (the code block using req.headers().get(...).expect(...) and
assert_eq!(header, "lock-secret-123")) and change the header lookup to use
LOCK_ID_HEADER instead of the string literal so the test references the
canonical header name used by the implementation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0cde2206-fc83-400f-8140-6397bc2e2586

📥 Commits

Reviewing files that changed from the base of the PR and between fc3e800 and c117a88.

📒 Files selected for processing (1)

• crates/cachekit/src/backend/cachekitio_lock.rs

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Use the LOCK_ID_HEADER constant instead of the hardcoded string.

The test hardcodes "X-CacheKit-Lock-Id" rather than referencing the LOCK_ID_HEADER constant. If the header name ever changes in the implementation, this test would silently pass whilst verifying the wrong header.

♻️ Suggested fix

         // ...it rides the X-CacheKit-Lock-Id header under the exact wire name.
         let header = req
             .headers()
-            .get("X-CacheKit-Lock-Id")
+            .get(LOCK_ID_HEADER)
             .expect("X-CacheKit-Lock-Id header must be set");
         assert_eq!(header, "lock-secret-123");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/cachekit/src/backend/cachekitio_lock.rs` around lines 148 - 152,
Replace the hardcoded header name in the test with the LOCK_ID_HEADER constant:
locate the assertion fetching the header in cachekitio_lock.rs (the code block
using req.headers().get(...).expect(...) and assert_eq!(header,
"lock-secret-123")) and change the header lookup to use LOCK_ID_HEADER instead
of the string literal so the test references the canonical header name used by
the implementation.

[27Bslash6]

Merging despite the red 1.85 check. That job hung ~10 min then failed with "self-hosted runner lost communication" (ARC runner starvation/eviction) on two consecutive runs, while stable, beta, wasm32, and CodeRabbit all passed in ~1 min each. The 1.85 job is green on main with the same toolchain, and 1.85 is not a required check. Code verified locally (cargo test + cargo clippy --all-targets -- -D warnings + cargo fmt --check) and across 3 CI toolchains — the failure is infra, not code.